Submission to the ICO 
Data sharing code of practice: Draft code for consultation 
Comments 


The updated code does not include guidance with regard to sharing of data where the 
Transfer of Undertakings (Protection of Employment) Regulations 2006, as amended 
("TUPE") apply. 


TUPE contains provisions requiring the provision of specified information by the transferor 
of a business (usually the seller, or in the case of services, the client of incumbent service 
provider) to the transferee (buyer, or the new service provider). These requirements also 
apply where there is a "service provision change" covered by TUPE — i.e. an outsourcing or 
insourcing of services by a business or public body, or a change of service provider. The 
information has to be provided at least 28 days before the date on which the employees 
transfer. 


It is also common for parties to seek more information about transferring staff than is 
required to be provided under TUPE and/or at an earlier stage than required under TUPE. 
This is because in many transactions, employment costs and liabilities are a key area of risk 
for the buyer / transferee, who will therefore want as much information as possible at an 
early stage in order to assess this and price accordingly. The amount and types of 
information that can lawfully be provided, and at what stage in a sale or tender process, is a 
common area of concern for transferors / sellers. 


We therefore see a number of queries from our clients relating to the provision of 
information in the context of a transfer to which TUPE applies, and we think further 
guidance from the Information Commissioner's Office on this point would be useful and 
appreciated by all parties involved in or affected by such transactions. This could perhaps 
be done by updating the ICO's Good Practice Note on disclosure of employee information 
under TUPE, dated 21 May 2008. 
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Transfer of Undertakings Protection of Employment 2006, as amended (TUPE) 


TUPE may apply where there is (i) a transfer of an undertaking, business, or part of an 
undertaking or business, or (ii) a ‘service provision change’ (this commonly describes 
insourcing and outsourcing arrangements, e.g. where a contractor takes over provision of 
services to a client where the client itself or another contractor has previously provided the 
services, or a client takes the provision of services in house at the end of such a contract). 


One of the main purposes of TUPE is ensure that where a "relevant transfer" (as defined in 
the legislation) takes place, the contracts of employment of those employees affected are 
transferred automatically from the current employer (the transferor) to the new employer 
(the transferee) and that those employees’ terms and conditions of employment are 
protected and preserved. 


Regulation 11 of TUPE requires that the transferee is provided with specific details about 
their new workforce within a specified time period in advance of any relevant transfer. 


What information must be given to the new employer under TUPE? 


Regulation 11 of TUPE requires that the following information (known as 'Employee Liability 
Information’ or 'ELI' for short) must be given to the transferee before the relevant transfer 
takes place: 


e the identity (usually the name) and age of the employees who will transfer. 


e the particulars of employment that the employer is obliged to give an employee under 
s.1 of the Employment Rights Act 1996 (which includes a written statement of pay, 
hours of work, holidays and other key provisions); 


e details of (i) any disciplinary action taken against an employee and (ii) any grievance 
action raised by an employee, in the last two years; 


e details of any legal action (before the court or employment tribunal) (i) brought 
against the employer by an employee in the last two years or (ii) that the transferor 
has reasonable grounds to believe that an employee may bring against the transferee 
arising out of the employee's employment with the transferor; and 


e information about any relevant collective agreements which will have effect after the 
transfer. 


The transferor must provide this information at least 28 days before the date of the relevant 
transfer takes place (usually, but not always, the closing of the transaction). If special 
circumstances render this not reasonably practicable, the transferor should supply it as soon 
as reasonably practicable. 


Can employers disclose this ELI under the GDPR and DPA 2018? 


Transferors must disclose the ELI required under TUPE. If the transferor fails to do so in 
the time required, the transferee can bring a claim for compensation in the employment 
tribunal within three months of the date of the relevant transfer. 


The transferor is permitted to disclose this information and the transferee is permitted to 
process this information as it is required by law. That said, both parties must take care to 
comply with data protection principles when handling this personal information. For 
example, they should make sure that the information is accurate, up to date and secure. The 
transferee must be careful to use the information only for the purposes intended under 
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TUPE, such as assessing possible liabilities or planning how employees are going to be 
integrated into the business. 


Both parties will need to consider and implement appropriate safeguards to make sure that 
the information will only be used in connection with the proposed business transfer and will 
only be retained for a limited period in accordance with the data minimisation and retention 
requirements and exemptions under the GDPR and the Data Protection Act 2018. 


Transferors are permitted to provide the ELI at an earlier stage of the 28t day prior to the 
transfer (the legislation simply requires that such information is provided no less than 28 
days prior to the transfer). They should still consider the key implications of doing so, the 
timing of the request and whether such data could be provided anonymously. 


Can employers disclose information that does not form part of the ELI prior to 
a relevant transfer under TUPE? 


There may be situations when transferors receive requests for information about their 
transferring workforce in addition to that required under Regulation 11 of TUPE or at an 
earlier stage than required under Regulation 11 of TUPE. 


e some transfers are outside the scope of TUPE (such as share acquisitions); 


e inthe early stages of the sale of a business or a service provision change there may be 
a number of potential bidders, only one of whom will become the eventual transferee 
but all of whom need certain information to assess whether to pursue the purchase or 
services contract; or 


e the prospective transferee may request more information than is required under the 
TUPE regulations. 


The transferor should consider any such requests carefully, including the scope of the 
request, the nature of the information sought and the timing of any such request. It should 
identify the purpose of the request and the potential harm to the affected employees in 
providing the information requested. It must also consider the applicable legal basis for 
processing in each case. The parties are advised to follow certain key guidelines when faced 
with such requests. 


e Transferees should only seek, and transferors should only provide, the minimum 
information needed and should ensure that it is as accurate and up-to-date as 
possible. 


e Outside of the ELI requirements, transferees should only request information that is 
likely to affect the pricing, or would be needed to run the business. They may not 
make any request for special categories data (such as information pertaining to an 
employee's health, race, ethnicity religion or belief, trade union membership etc.). 


e Similarly, outside of ELI requirements transferors should only provide identifiable 
information if the transferee has a reasonable business interest in this (e.g. to 
understand employee liabilities or skill sets) and it is not reasonably possible to 
understand this from aggregate or anonymous data. 


e Wherever possible, the transferor should provide such information in aggregate, 
anonymised or pseudonymised form. 
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e Transferees should always carefully check the information received from a transferor 
in response to a request, and should securely and safely delete or destroy any 
excessive information and should notify the transferor accordingly. 


e In the case of competitive tenders, the tendering party should consider what 
information will be required by bidding parties, and at what stage such information 
may be required. 


De-identification (whether anonymization, where possible, or pseudonymisation) may mean 
removing individual names, but could also include key identifying information such as job 
titles, salary, bonus details or age. Aggregating information is another useful way of 
ensuring individuals are not identifiable. Transferors should consider whether there are 
factors that would allow the re-identification of the individual; for example, if data is 
provided by office/team/etc., smaller data sets may lead to re-identification. Employers 
should consider disclosing any or all of the following in place of full personal information: 


e average or banded salary and age information 


e template contracts rather than actual signed contracts signed, or anonymising key 
information in template contracts; and 


e generic policies and generic descriptions of benefits. 


Do employers need to notify employees? Do employers need employee 
consent? 


Organisations are required to inform individuals if their personal data is being shared, which 
would include disclosure on a corporate transaction or service provision change. 


e Employers should ensure that any privacy notices or policies include general 
information about the treatment of staff personal data in transactions. 


e Provided that any early stage disclosure is in aggregate, anonymised or 
pseudonymised form, or is otherwise exempt from requirements, no additional notice 
should be required. 


e At the stage at which identifiable personal data is shared, the parties may need to 
notify individuals of the transfer and about the new controller. 


Depending on the scope of the information sought, employers should consider whether they 
should seek consent of the individuals concerned (and whether such consent would be valid), 
or whether an alternative legal basis can be identified. 


How should any such information be provided? 

The parties should use secure and appropriate methods to transfer staff personal data, 
whether it falls within or outside the ELI obligations; this may mean a secure data room, 
intranet or portal, depending on the circumstances. 

The parties should avoid sending large volumes of employee data via email, and any personal 
data sent via email should be encrypted or password protected (noting that the password 
should be sent separately). 


When sharing information by email, care should be taken to ensure that the information is 
shared with as few people as possible and in all cases only with those who need to know. The 
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parties should check for typos, errors, inconsistencies in email addresses and query the 
involvement of any unusual / unexpected potential recipients. 


Particular care should be taken with regard to special categories data (if such data can be 
shared at all). 


Post completion: Can employment records be given to the transferee following 
a relevant transfer under TUPE? 


Once it is certain that a transaction or service provision change will go ahead, more detailed 
information can legitimately be provided by the transferor to the transferee(s) as in most 
cases, the transferee will need a large proportion of an individual’s employment record in 
order to manage the transferred workforce and run the transferred business / operate the 
transferred services. This may in particular include additional special categories data. 


The transferor should only share the data that is necessary for the purposes of the transfer 
and the continuation of the employment relationship between employee and transferee. If 
should review the information to be provided and should consider whether all the 
information in the personnel files is needed. 


Can the former employer keep personal information after a transfer? 


The transferor may be required to retain some personal information about former employees 
(for example, to deal with liabilities or defend employment claims, or in compliance with any 
tax or other legal obligations). 


The transferor should only retain any such information for as long as necessary and whilst it 
has a legal basis for such processing. It should then securely and safely delete or destroy any 
information that is no longer needed and/or for which there is no continuing legal basis for 
processing. 


Recommended good practice 


e Transferors and transferees should consider the implications of data protection at the 
outset, and should further consider the implications when one or other of the parties 
identifies that TUPE may apply. 


e The parties should agree what information should be transferred, and how, well 
before a transfer takes place. 


e Each party should ensure that appropriate documentation and appropriate technical 
and organisational measures are put in place ahead of the transfer of any staff 
personal data. This includes confirming that appropriate notifications to staff of the 
treatment of their personal data in the event of transfer under TUPE have been made 
in advance of any such transfer of staff personal data. 


e The parties should ensure that those responsible for negotiating the transfer of staff 
are aware of their responsibilities to comply with data protection principles, for 
example, to keep personal information up to date and secure. 


e Transferors should ensure that they meet the ELI requirements under TUPE. For 
requests that fall outside of the ELI requirements, transferors should consider the 
nature, scope, purpose and timing of the request. The transferor should consider 
whether personal information which is not requested in accordance with Regulation 
11 could be anonymised or pseudonymised before it is provided. 
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Each party should ensure that any information provided prior to a relevant transfer 
under TUPE taking place is used only for the purposes intended under TUPE. 


The transferor should ensure that employees are made aware that their information 
will be passed to the transferee. This may not always be possible if, for example, 
‘insider trading’ restrictions apply. 


Each party should ensure that, once the transfer of staff has been taken place, any 
staff personal data and employment records are accurate, relevant and up to date and 
any unnecessary information or information for which the party no longer has 
grounds to process is safely and securely deleted or destroyed. 
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